To further elaborate, even if the virtual DN is set instead of the real one in c_ndn, the operation fails because ACL checking passes through bi_entry_get_rw(), which is not provided by slapo-rwm, and can't be provided according to the current design, since it does not allow to massage the arguments. As a quick'n'dirty fix, what you can do is make the proxy database serve both naming contexts, namely
database ldap suffix "dc=remote,dc=local" suffix "dc=remote"
This works for getting the query to the right place; thanks! Remapped attributes in the acl obviously don't work, but working around that is straight-forward also.
This is a hack; the real fix requires to redesign the API of bi_entry_get_rw(), to let it modify the request arguments while letting the real function do the hard job.
Right, okay.
Matthew Backes Symas Corporation mbackes@symas.com